MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ab77e961ee2eaaee3da8d49b8f9f09444b279c6f258cf8e9769e4a16c22fbd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ab77e961ee2eaaee3da8d49b8f9f09444b279c6f258cf8e9769e4a16c22fbd4
SHA3-384 hash: 9af493a57f73647ae5b866467eef581b8913cca0e17242a9a3ac0b3674892183cb9af0f5c10b20e199f09d154ae774ed
SHA1 hash: b631e2d6910155d57982f27a0cebea4d5695c08b
MD5 hash: 20ad07241b54c7690a5914b6069151b2
humanhash: louisiana-table-ohio-ten
File name:Revised invoice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:671'744 bytes
First seen:2023-11-02 10:00:19 UTC
Last seen:2023-11-02 21:53:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:DODN9e6QLaK0//g91Xp3vjb3SMJeHH6GpP6TitTPuvdXp/Oat:yD3e6QLEWoRHvpPS
Threatray 21 similar samples on MalwareBazaar
TLSH T14FE4E09C3625B2DFC817C9769DA82C64EA2074BB431BC247945716ED9A0CAE7CF141F3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:exe FormBook INVOICE payment

Intelligence

File Origin
# of uploads :
6
# of downloads :
336
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457765/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6543735e0ca0b01851729806/reports/7639d1fd-0ad7-4334-8911-11b5169ae3ae/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/9ab77e961ee2eaaee3da8d49b8f9f09444b279c6f258cf8e9769e4a16c22fbd4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/48e45d99-01d6-4d99-9698-ff93ca3ea430
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1335908
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1335908 Sample: Revised_invoice.exe Startdate: 02/11/2023 Architecture: WINDOWS Score: 100 29 www.waterdropdilter.com 2->29 31 www.waktugaspoolne3.xyz 2->31 33 13 other IPs or domains 2->33 45 Multi AV Scanner detection for domain / URL 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 8 other signatures 2->51 10 Revised_invoice.exe 3 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 61 Detected unpacking (changes PE section rights) 10->61 63 Detected unpacking (overwrites its own PE header) 10->63 16 MSBuild.exe 10->16         started        41 127.0.0.1 unknown unknown 13->41 signatures6 process7 signatures8 43 Maps a DLL or memory area into another process 16->43 19 ytlMruYnLdNQkVHmCzZdHd.exe 16->19 injected process9 process10 21 unregmp2.exe 13 19->21         started        signatures11 53 Tries to steal Mail credentials (via file / registry access) 21->53 55 Tries to harvest and steal browser information (history, passwords, etc) 21->55 57 Writes to foreign memory regions 21->57 59 3 other signatures 21->59 24 ytlMruYnLdNQkVHmCzZdHd.exe 21->24 injected 27 firefox.exe 21->27         started        process12 dnsIp13 35 4juris.xyz 198.136.59.220, 49749, 49750, 49751 DIMENOCUS United States 24->35 37 www.pmiy0a.cfd 107.148.95.217, 49757, 49758, 80 PEGTECHINCUS United States 24->37 39 4 other IPs or domains 24->39
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9ab77e961ee2eaaee3da8d49b8f9f09444b279c6f258cf8e9769e4a16c22fbd4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ab77e961ee2eaaee3da8d49b8f9f09444b279c6f258cf8e9769e4a16c22fbd4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-02 07:26:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tk3x5fq64lvk5y62rve3r6pqsrcle6og6jmm7duxnhskc3bc7pka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
08f858c188cfd3e620b156b53c1a9fb49d67445ffc6b5c004f87a93f44aa15a2
Formbook
3f98f70b03b079fcf00f40d8819a849513f391eca65c7a3424687138924c60a9
Formbook
7c0276edd9ce400d92a0b135a90b3d0f055991aad22ba1acb0fac193636eb621
Formbook
7d1d279985060889c0213cae4ae9b4e8fecabc7c021b076d6034fdaaa1d903ae
Formbook
9926f3b8249ae808a2473461cfc06b1d586aeed9392eed10722fdcb3a9f1483b
Formbook
e4b2f31e7c9fb2df6cf161898f23653c49d758f8f733e5910b99f3fd998569e0
Formbook
fa75be54659c7ffd8f59a49687c1ddf79c333861043831395b0fb10b87401f7d
Formbook
fcdc9c84c2d743794b07d4cff425214fa4466f3698e88d36cd6956531303ab1f
Formbook
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231102-l17h9aac9x/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
d5da05f1416458576ea4527f0ed94700c06445acc8bb47fd8b352c9a62e23600
MD5 hash:
9f4c3d3266ba95825ca829c7fbd8826c
SHA1 hash:
ded07a160a1d0434c505c2e47f2163567c22e664
Link:
https://www.unpac.me/results/0cd9a913-4037-4686-8480-2e3d7c4f9aa0/
SH256 hash:
0ba1122a32e87e976c3c1076bc93d38b8da59635dd7541bbbe393cd6b76170ee
MD5 hash:
114a8ee279e136584a12827ac26ede30
SHA1 hash:
72a7bed5b5e5c5a69a5570772d22418bbe55e9f9
Link:
https://www.unpac.me/results/0cd9a913-4037-4686-8480-2e3d7c4f9aa0/
SH256 hash:
d7cc271acd8d3e4acc90804950c67e056d4e387a4098ce24468f7012f09a2dd7
MD5 hash:
7f58adba98faa1a97a9081c4702ace6b
SHA1 hash:
9465c842473c32bee3e9d0c3a4ff79f583774921
Link:
https://www.unpac.me/results/0cd9a913-4037-4686-8480-2e3d7c4f9aa0/
SH256 hash:
2fc6e7a93e0fbed4e6ca48c98af13c7339db7bff52a1bdce39b1c83c8e453878
MD5 hash:
af053f732b77a9c89118b0e73d2dd656
SHA1 hash:
64b34d32f5dca8ec21ffeceebe6d6c9dfc562c4d
Link:
https://www.unpac.me/results/0cd9a913-4037-4686-8480-2e3d7c4f9aa0/
SH256 hash:
c34dfbc328de247d25d670c3b7853f1dddd2ec2607d5dbb0480743b45a15ea64
MD5 hash:
85b87384830444e6ab86a4a692ce96cc
SHA1 hash:
0d7d4614cf31d27e68ebf48e76fb1d308cc08152
Link:
https://www.unpac.me/results/0cd9a913-4037-4686-8480-2e3d7c4f9aa0/
SH256 hash:
9ab77e961ee2eaaee3da8d49b8f9f09444b279c6f258cf8e9769e4a16c22fbd4
MD5 hash:
20ad07241b54c7690a5914b6069151b2
SHA1 hash:
b631e2d6910155d57982f27a0cebea4d5695c08b
Link:
https://www.unpac.me/results/0cd9a913-4037-4686-8480-2e3d7c4f9aa0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9ab77e961ee2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ab77e961ee2eaaee3da8d49b8f9f09444b279c6f258cf8e9769e4a16c22fbd4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip c27900905ec18d4daae5294f041d6a8080091fcce79b5181aaebbe6933aca5c6

Formbook

Executable exe 9ab77e961ee2eaaee3da8d49b8f9f09444b279c6f258cf8e9769e4a16c22fbd4

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c27900905ec18d4daae5294f041d6a8080091fcce79b5181aaebbe6933aca5c6
Cape
Cape
https://www.capesandbox.com/analysis/457765/
  
Dropped by
SHA256 c7cf5503bef42294f7e1269c98bc1e4e9084918389054741779d76959e95f00a
  
Dropped by
MD5 7bfccad26e26dfb9b8da5e98412e61ad
  
Dropped by
MD5 8c62dfe599a60405213b0ca588fd7021

Comments